When a new user registers on a WordPress-run website, a randomly generated 12 character password is automatically sent to the email address they had registered with. The person can then login with their username and the generated password. If the user want, they can change their password on first login, but WordPress doesn’t force them to do so.

If you’d like new users on your website to change their password on first login, then you can enforce this rule using a simple plugin called Force Password Change. To use it, simply upload it to the plugin folder, activate it, and you’re good to go. No settings to meddle with.

After activating, this plugin redirects newly-registered users to their profile page (Admin -> Edit Profile) when they log in for the first time. On the profile page an admin notice is displayed asking the user to change their password. Until they do so, they won’t be allowed to access either the front-end or other admin pages.

The plugin works by adding a user meta field on registration, then checks for it when a user logs in. If the value is found, user is redirected to the edit profile page. After they change their password the user meta field is removed so that they can normally use the website.

Force Password Change plugin can also be useful if you, as an admin, manually register new users and set password for them. This will make sure they don’t continue using the same. A simple and effective solution.